Example of Importing User Accounts Using Active Directory

Download this manual as a PDF file

This section will walk you through an example of importing a user account from Active Directory. Although this chapter will illustrate the steps and concepts for this task, the values are specific to the example Active Directory server and will not work on your Active Directory system.

Although some of the values in this example are specific to Active Directory, you can use a very similar example to import user accounts from LDAP.

Use the following menu options to navigate the Skylar One user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Required Tasks

To configure Skylar One to automatically create accounts for existing LDAP or AD users, you must perform the following steps:

  1. Create one or more user policies that define account properties and privilege keys in Skylar One for imported LDAP users or AD users.
  • When creating the user policy, you must select LDAP/Active Directory in the Authentication Method field.
  • You can create more than one user policy for imported user accounts.
  • Later, in the LDAP/AD Auth Resource Editor page (System > Settings > Authentication > Resources > create/edit LDAP/AD Resource), you specify the user policy to apply to imported user accounts.
  1. Create an LDAP or AD credential that allows Skylar One to read from (and optionally, write to) the LDAP or AD directory.
  1. Define the LDAP/AD Authentication Resource.
  • Specify how Skylar One should communicate and exchange information with the LDAP or Active Directory server.
  • Specify how Skylar One should map LDAP or AD attribute values to fields in the Account Properties page.
  • Specify whether Skylar One should remain synced with the LDAP/AD server. If an LDAP or AD administrator makes changes to an account, Skylar One can automatically retrieve those updates and apply them to the user's account in Skylar One (in the Account Properties page) the next time the user logs in to Skylar One.
  1. Define one or more Authentication Profiles that tell Skylar One how to recognize LDAP/AD users and which Authentication Resource to use with those users.
  2. After completing these steps:
  • Each LDAP/AD user must log in to Skylar One using the LDAP or AD username and the LDAP or AD password.
  • Skylar One will examine the hostname or IP address in the incoming URL request to align the user with an Authentication Profile.
  • The Authentication Profile tells Skylar One which Authentication Resources to use to authenticate the user.
  • Skylar One will use the settings and the credentials defined in the LDAP/AD Authentication Resource to query the LDAP or AD directory to authenticate each user.
  • Optionally, Skylar One will use the mappings and the user policy specified in the LDAP/AD Authentication Resource to create each user account. The username will match the Search Field in the LDAP/AD Authentication Resource.

Example Entry in Active Directory

Suppose we have an entry in Active Directory that looks like this:

NOTE: For details on how the attribute names map to the page displays in Active Directory, see the appropriate Active Directory documentation.

# kgibson, Users, ScienceLogicHQ, sciencelogic.local

dn: samaccountname=kgibson,ou=Users,ou=ScienceLogicHQ,dc=sciencelogic,dc=local

samaccountname: kgibson

cn: Kate Gibson

userPassword:: ilovedocs!

department: documentation

streetaddress: 12369 Sunrise Valley Drive

l: Reston

st: VA

c: US

postalCode: 20191

mail: kgibson@sciencelogic.com

telephoneNumber: 703-354-1010

facsimiletelphonenumber: 571-336-8000

mobile: 703-354-1011

pager: 703-354-1111

givenName: Kate

sn: Gibson

 

In this entry, we have a user named "kgibson", who resides in the ou called "Users", in the ou called "ScienceLogicHQ" in the domain "sciencelogic.local". We'll use this information when configuring Skylar One to authenticate this user.

Creating a User Policy

When you configure Skylar One to automatically create user accounts for Active Directory users or LDAP users, you must define one or more user policies for those imported accounts. Because you will not be creating the accounts manually and then manually defining the account properties, Skylar One uses the user policy to define the properties for the user account.

For our example, we performed the following:

  1. Go to the User Policies page (Registry > Accounts > User Policies).
  2. Click the Create button. The User Policy Properties Editor page appears.
  3. In the User Policy Properties Editor page, we supplied the following values:
  • Policy Name. Name of the user policy. Can be any combination of alphanumeric characters, up to 64 characters in length. We entered AD_Imported.
  • Login State. Specifies whether user accounts created with the policy can log in to Skylar One. We selected Active. This means that as soon as the policy creates an account, the account user can log in to Skylar One.
  • Account Type. This drop-down contains an entry for each standard account type. These account types affect the list of Access Keys for the user. We selected User.
  • User. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by the administrator and grant users access to pages and tabs and permit users to view information and perform tasks in Skylar One. These Access Keys are defined by the system administrator from the Access Keys page (System > Manage > Access Keys).
  • Password Strength, Password Expiration, Password Shadowing, Require Password Reset. These fields aren't used for LADAP/AD Authentication, so you can skip these fields.
  • Password Strength. We selected Good. The user's password must have a strength of Good to be authenticated.
  • Password Expiration. We selected 60 days. After 60 days the user will be forced to change their password.
  • Password Shadowing. We selected Default. The user will not be able to reuse any password from the past year.
  • Require Password Reset. We did not select this checkbox. The user will not have to reset their password at their next login.
  • Authentication Method. We selected LDAP/Active Directory. This selection is required. The user's username and password will then be authenticated by the Active Directory server or the LDAP server.
  • Restrict to IP. We left this field blank. If selected, the user will be allowed to access Skylar One only from the specified IP. Specify the IP address in standard dotted-decimal notation.

  • Event Console Default Display. Specifies how the Event Console page will appear by default. We chose Flat events table.

  • Ticket Queue Memberships. We highlighted the ticket queues specifying which users will be members. In our example, this is Documentation.
  • Primary Organization. Specifies the primary organization. We selected System. This will be the default organization for user accounts created with this policy. You can select from a list of all organizations in Skylar One.
  • Theme. Backgrounds, colors, fonts, and graphics that will appear when a user logs in. We selected ScienceLogic: White + Blue Titlebars.
  • Time Zone. The time zone to associate with each user account created with this user policy. We selected New_York. Dates and times in Skylar One will be displayed for the selected time zone.
  • Organization Memberships. User accounts created with this user policy will be members of each selected organization. We did not select any additional organizations.
  • Privilege Keys. The Privilege Keys pane displays a list of Access Keys that can be assigned to the user's account. We selected Grant All. This means the user can access all parts of Skylar One (but cannot create or edit additional Access Keys).
  • Re-Apply All Settings to All Policy Members. We left this field unchecked.
  1. Click the Save button to save your new user policy.

Creating a Credential for Active Directory

When you configure Skylar One to automatically create user accounts for Active Directory users, you must define one or more credentials, so Skylar One can communicate with the Active Directory server. Skylar One must communicate with the AD server, both to authenticate each user and to retrieve information about each user to include in each user's user account.

For our example, we performed the following:

  1. Go to the Credential Management page (System > Manage > Credentials).
  2. Click the Actions menu, then select LDAP/AD Credential.
  3. The Credential Editor modal page appears. In this page, you can define the new credential.
  4. Supply a value in each of the following fields:
  • Profile Name. Name of the credential. We specified ScienceLogic AD.
  • LDAP Type. Specifies the type of LDAP implementation running on the directory server. We selected Active Directory.
  • Hostname/IP. Hostname or IP address of the Active Directory server. We supplied the IP address of the Active Directory server (192.168.10.21).
  • Secure. Specifies whether you are using the "LDAP over SSL" protocol. We selected No.
  • Port. Port number on the LDAP or Active Directory server to which Skylar One will send requests. We accepted the default port value (389).
  • Timeout. We accepted the default value of 10000.
  • RDN (Bind DN / bind user). This field specifies the bind DN. The bind DN is an account on the Active Directory server or the LDAP server that is allowed to search the directory within the specified search base. We entered:

%u@%d

This says that the bind DN "kgibson@ScienceLogic.local" will allow Skylar One to authenticate the user and retrieve information about that user.

  • In Skylar One, the %u variable stores the latest username from the login page.
  • In Skylar One, the %d variable stores the value specified in the field LDAP Domain.
  • To configure Skylar One to automatically create accounts when a user logs in with an AD name and password, you must include the %u variable in this field.
  • When an AD user logs in to Skylar One, Skylar One stores the username in the %u variable. Skylar One then uses the %u variable to build the bind DN, uses the bind DN to communicate with the AD server, and then asks the AD server to authenticate the current user.
  • LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify the domain components to bind to in this field. We entered ScienceLogic.local.
  • Bind Password. Password that allows access to the Active Directory server or the LDAP server. In most cases, when you specify a bind password in a credential, you are creating a "write" credential (that is, a credential that allows Skylar One to make changes to the LDAP or AD server). We left this field blank.
  • User Search Base. Specify where in the AD directory to find the user accounts to import, using RDN notation. The search base tells Skylar One which part of the external directory tree to search. We entered:

ou=Users,ou=ScienceLogicHQ,dc=ScienceLogic,dc=local

This specifies that Skylar One can import any Active Directory account in the ou "Users", in the parent ou "ScienceLogicHQ", in the domain "ScienceLogic.local". Any users in any ou that is a child to the ou "Users" will also be imported.

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, see http://www.faqs.org/rfcs/rfc2254.html.

  • User Search Scope. Specify whether Skylar One should search only the directory specified in the User Search Base field or whether Skylar One should search the directory specified in the User Search Basefield and all its child branches. We selected One Level.
  1. Click the Save button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how Skylar One should communicate with a user store. In this section, the user store is an Active Directory user store. The LDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an AD user store. An LDAP/AD Authentication Resource specifies the connector (communication software) to use to communicate with the AD user store and the credential to use to connect to the user store. An LDAP/AD Authentication Resource can also map attributes from the user's AD account to fields in the user account on Skylar One.

To create an LDAP/AD Authentication Resource:

  1. Go to the Authentication Resource Manager page (System > Settings > Authentication > Resources).
  2. In the Authentication Resource Manager page, click the Actions menu and then select Create LDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.
  3. Enter values in the following fields:

Basic Settings

  • Name. Name of the LDAP/AD Authentication Resource. Enter Import_AD_Resource.
  • User Display Name. User's username, email address, or preferred display name. This value is determined by the user's authentication resource settings. This drop-down field includes the following options:
  • disable. Uses the current default behavior, which displays the user's username in the Skylar One user interface and in the logs.
  • e-mail address. Displays the user's email address in the Skylar One user interface and in the logs.
  • user principal name. Displays the value from the UPN field on this page in the Skylar One user interface and in the logs.
  • UPN. The value that displays in the Skylar One user interface and in the logs. If you select user principal name in the User Display Name field, then the value from this field displays in the Skylar One user interface and in the logs. This field is blank by default for all existing (pre-11.2.1) authentication resources, but can be manually updated.
  • Read Credential. Select the credential we created earlier, ScienceLogic AD. This credential allows Skylar One to read data from an Active Directory server.
  • Write Credential. Leave this field blank.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the Read Credential field and the Write Credential field.

  • User Name Suffix. Leave this field blank.
  • Search Filter. Specifies where to find the user's account information in Active Directory. Enter the following:

(samaccountname=%u)

This says to search for the samaccountname attribute that matches the login name (entered when the user logs in to Skylar One and then store in the variable %u).

  • Sync directory values to EM7 on login. If the AD administrator makes changes to an AD account, Skylar One will automatically retrieve those updates and apply them to the user's account in Skylar One (in the Account Properties page) the next time the user logs in to Skylar One.
  • Sync EM7 values to directory on save. If an administrator made changes to the user account in Skylar One, Skylar One will automatically write those changes to the user's account in LDAP or Active Directory. This option requires a write credential.

Attribute Mapping

If you have configured Skylar One to automatically create accounts in Skylar One for AD users, these fields specify the AD attribute value that will be automatically inserted into each field in each user's Account Properties page.

Skylar One automatically populates as many of these fields as possible. You can edit or delete the default values provided by Skylar One.

For example, Skylar One automatically inserts the value of the AD attribute "sn" (surname) into the Last Name field in each user's Account Properties page (Devices > Classic Devices, or Registry > Devices > Device Manager in the classic user interface.

NOTE: Skylar One requires that the LDAP or AD attribute name that you specify in each field uses all lowercase characters.

  • First Name. Specifies the AD attribute value that will be automatically inserted into the First Name field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "givenname" into this field. We accepted the default value.
  • Last Name. Specifies the AD attribute value that will be automatically inserted into the Last Name field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "sn" into this field. We accepted the default value.
  • Phone. Specifies the AD attribute value that will be automatically inserted into the Phone field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "telephonenumber" into this field. We accepted the default value.
  • Mobile. Specifies the AD attribute value that will be automatically inserted into the Mobile field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "mobile" into this field. We accepted the default value.
  • Primary Email. Specifies the AD attribute value that will be automatically inserted into the Primary Email field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "mail" into this field. We accepted the default value.
  • Street Address. Specifies the AD attribute value that will be automatically inserted into the Street Address field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "streetaddress" into this field. We accepted the default value.
  • Suite/Building. Specifies the AD attribute value that will be automatically inserted into the Suite/Building field in each user's Account Properties page.
  • City. Specifies the AD attribute value that will be automatically inserted into the City field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "l" into this field. We accepted the default value.
  • State. Specifies the AD attribute value that will be automatically inserted into the State field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "st" into this field. We accepted the default value.
  • Postal Code. Specifies the AD attribute value that will be automatically inserted into the Postal Code field in each user's Account Properties page. By default, Skylar One inserts the value of the AD attribute "postalcode" into this field. We accepted the default value.
  • We accepted the default values (usually a blank field) in all other fields.

User Policy Alignment

  • Type. Specifies whether Skylar One should automatically create accounts in Skylar One for each LDAP or Active Directory user in the search base (which is specified in the credential), whether Skylar One should simply use LDAP or Active Directory to authenticate one or more users, or whether Skylar One will refuse to authenticate specific users. We selected :
  • Static policy alignment. If an LDAP or AD user logs in to Skylar One using the LDAP or AD attribute specified in the Search Filter field, Skylar One will automatically create an account for that user. Skylar One will use one user policy (specified in the Policy field) to create all imported LDAP or AD user accounts. Skylar One will also use the settings and credentials specified in this page when creating the account.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field:

  • Policy. Specifies the user policy to use to automatically create an account in Skylar One for each LDAP or AD user. Select from a list of all user policies that specify LDAP /Active Directory in the Authentication Method field. We selected the User Policy we created earlier, AD_Imported.

  1. Click the Save button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with one or more Authentication Resources.

  • Alignment by pattern matching. Skylar One uses the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the criteria specified in an authentication profile, Skylar One will automatically use the matching profile to perform user authentication.
  • Credential Source. Specifies from where Skylar One should extract the user name and password or certificate to be authenticated. These credentials are passed to Skylar One via HTTP. Skylar One then passes the credentials to each Authentication Resource specified in the Authentication Profile. The Authentication Resources authenticate the credentials with user stores.
  • Authentication Resource. Specifies the connector to use to communicate with the user store, the credential to use to connect to the user store (if applicable), and the URLs to examine during authentication. Also maps attributes from the user's account in the user store to fields in the Skylar One user account.
  • Multi-factor Resource. Specifies the connector to use to communicate with the multi-factor endpoint. A Multi-factor Resource specifies the hostname or IP address of the Authentication Agent, the access key for communicating with the endpoint, and the URL of the RSA REST endpoint.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

  1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).
  2. Click the Create button. The Authentication Profile Editor modal page appears.
  3. In the Authentication Profile Editor modal page, you can define the new authentication profile.
  • Name. Name of the Authentication Profile. We entered Import_AD_Profile.
  • Priority Order. If Skylar One includes multiple Authentication Profiles, Skylar One evaluates the Authentication Profiles in ascending priority order. Skylar One will apply the first Authentication Profile that matches the Hostname or IP in the current URL AND has the lowest value in the Priority Order field. We accepted the default value, 1.
  • Pattern Type. Specifies how Skylar One will evaluate the value in the AP Hostname Pattern field. We selected Wildcard. Skylar One will perform a text match, with wildcard characters (asterisks).
  • AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in a browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL or IP address matches the value in this field, Skylar One applies the Authentication Profile to the user for the current session. We entered *.sciencelogic.com in this field.

Skylar One will apply the Authentication Profile to each session on an Administration Portal, Database Server, or All-In-One Appliance where the user enters a URL ending with ".sciencelogic.com" into the browser.

  • Available Credential Sources. This field tells Skylar One how to retrieve the user's credentials from the HTTP request to Skylar One. To align a credential source with the Authentication Profile, highlight the credential source and click the right-arrow button. You can select zero, one, or multiple credential sources for the Authentication Profile. We selected:
  • EM7 Login Page. Skylar One will retrieve a user name and password from Skylar One login page fields.
  • Aligned Credentials Sources. This field displays the list of credential sources that have been aligned with the Authentication Profile. The Authentication Profile will examine each credential source in the order in which it appears in this list. When the Authentication Profile finds the user's credential, the Authentication Profile stops examining any remaining credential sources in the list.
  • Available Authentication Resources.This field tells Skylar One which Authentication Resources to use to authenticate the retrieved credentials. To align an Authentication Resource with the Authentication Profile, highlight the Authentication Resource and click the right-arrow button. You must select at least one Authentication Resource and can select more than one. We selected EM7 Internal.
  • Aligned Authentication Resources. This field displays the list of Authentication Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Authentication Resource in the order in which it appears in this list. When an Authentication Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Authentication Resources in the list.

  • Available Multi-factor Resources. This field tells Skylar One which Multi-factor Resources to use to perform multi-factor authentication. To align an Multi-factor Resource with the Authentication Profile, highlight the Multi-factor Resource and select the right-arrow button.

  • Aligned Multi-factor Resources. This field displays the list of Multi-factor Resources that have been aligned with the Authentication Profile. The Authentication Profile will examine each Multi-factor Resources in the order in which it appears in this list. When a Multi-factor Resource successfully authenticates the user, the Authentication Profile stops executing any remaining Multi-factor Resources in the list.

NOTE: For details on configuring multi-factor authentication, see the section on using multi-factor authentication.

  1. Click the Save button to save your changes to the new authentication profile.

User Login to Skylar One

After completing the steps in this chapter:

  1. Suppose user "kgibson" logs in to Skylar One with the following credentials:
  • Account: kgibson
  • Password: ilovedocs!
  1. Skylar One will look for an account with an Account Login Name of "kgibson".
  2. When examining the user's account information, Skylar One will discover that this user login is to be authenticated with AD.
  3. Skylar One will check the login request and match the originator's URL or IP address to an Authentication Profile. In our example, the originator's URL will match the Authentication Profile we created, Import_AD__Profile.
  4. The Authentication Profile will tell the platform to extract the user's credentials from the ScienceLogic Login page and to use the Authentication Resource we created, Import_AD_Resource.
  5. The Authentication Resource will tell Skylar One to use the credential we created, ScienceLogic AD, to connect to the AD server. Skylar One will connect to the AD server using the bind dn value from the RDN field in the credential. The value we entered was %u %d. So we will connect to the AD server using the username "kgibson" in the domain "sciencelogic.local".
  6. Skylar One will search the AD server using the value specified in Search Filter field in the Authentication Resource. In our example, Skylar One will search for a record where the samaccountname attribute contains the login name (entered when the user logs in to Skylar One).
  7. Based on the record found in the AD server, Skylar One will ask the AD server to authenticate the username and password that were passed to the ScienceLogic Login page.
  8. After authentication, Skylar One will retrieve values from the AD server to populate fields in the user's Account Properties page.